This is Part Two of a two-part series. Read Part One here.
Mergers and Acquisitions (M&A) is a complex, lengthy courtship process that should bring two entities closer together, and cybersecurity has emerged as a core element in the process. For example, consider the regulatory environment around data breaches. With both the delayed reporting and heightened fine structure under FTC or the GDPR, it’s very easy to imagine acquiring a company that will trigger a violation post close and thereby damage the reputation or security posture of the acquiring entity, at significant expense.
The currant malware and ransomware epidemics continue to have wide impact, both on under resourced government entities and on large entities with significant cyber capability. Business interruption is the major concern for all companies. If you look at Maersk’s statement from 2016, they understood the risk but still suffered from a NotPetya infection: “The risk is managed through close monitoring and enhancements of cyber resilience and focus on business continuity management in the event that IT systems, despite their efforts, are affected.”
If you are a company that has recently completed a merger or may be contemplating an M&A transaction, how can you filter out the risky acquisitions from seemingly positive disclosure?
I interviewed three leading practitioners to better understand the most important components of a cyber M&A due diligence. I spoke with:
What follows is not an exhaustive list of steps, but some interesting insights and pointers to potential issues. Our discussion flowed from the early stages of a transaction through to completion and then to ‘post deal,’ and includes general guidance as well as pointed replies to questions.
BARNABY: Last year, we had SEC cyber guidance on BEC that cited 10-11 companies lost $100 million in aggregate. Do acquisition candidates seem to be following regulatory controls?
LUKE: Well it’s all over the spectrum as you would expect, and more sophisticated parties certainly are, but startups seem much generally less aware on those issues. There are certainly exceptions. They are getting their business launched and are not majoring in some of the legal developments in the space. So, we often have to get them up to speed.
Another risk is integration. When you go to ingest systems into your own, that’s the greatest risk. Sometimes the acquisition remains as a standalone business and the systems may have some kind of connectivity to the Buyer’s systems, such that there’s some level of trust in between networks, but they are separate. But there are situations when a client has gone to integrate the network systems and data of the target that they’d acquired and closed on, only to find out that they’d effectively be swallowing a pill that is not worth taking.
The other variable is that you try to get a sense of how they are vetting their own employees, contractors, and vendors. They are dependent on the trust of their own people including their vendors. It might be they have the best of intentions, but they are not doing a good job of vetting some of their employees and that may be in certain countries, for example. All of this is part of the risk picture that we present to the client.
If you are acquiring a business with 20 million records that were collected with consent as part of the business, can I as the acquiring company, have use of that database or are they required to refresh the consent?
CHRIS: In our experience, these issues are reviewed on a case-by-case basis. Whether action is required will depend upon several factors such as where the companies are doing business, how the systems are being integrated, where data is being held and the laws that both companies may be subject to. The insurance markets would defer to legal teams and outside legal counsel to provide a review of the status of the networks and data pre-transaction and then the changes that need to take place post transaction.
Given the many legal changes that are taking place around the world and with enforcement becoming more aggressive, these are issues which should be being reviewed on a constant basis.
LUKE: You have to understand whether or not the consent will carry through to the Buyer. We work on a lot of acquisitions around the world and the client may want to buy a target in a part of the world that has very strict data localization law like China, in which case we will need to advise our client on the ability to move that data out of the host country or not, and they have to make valuations or decisions accordingly.
Even doing penetration testing in some parts of the world requires a careful legal analysis - you cannot just cart out data in and out of every country in the world. You have to be keenly aware of the local requirements and get the necessary government approvals to do so.
On allocating risks between the Seller and the Buyer, to what extent if info is available to the Buyer to judge the IT security posture of a selling company? How do you protect the value of the acquired data in a contract?
LUKE: The data issues are moving front and center in more and more transactions, because we have more technology and more data-focused companies being bought and sold. What I think that means is that there’s an increased likelihood that the Buyer will be able to negotiate a very large-scale data breach, for example, as a material adverse event that could allow them to back out of closing if it’s discovered between signing and closing, or to be leveraged to renegotiate the price.
What is the interplay between the components of the purchase and sale agreement, and the representations and warranties (R&W) coverage?
CHRIS: The insurance under reps and warranties insurance policies will depend upon the representations and warranties in the purchase agreement. Surprisingly, many agreements still do not make specific reference to cyber, but they are becoming less common. R&W insurance can provide several options depending upon the perceived risk, the target company and the size and type of the transaction.
Companies can negotiate full cover for cyber under their R&W policy with the insurance market if the risks seem relatively insignificant, the representations and warranties in the contract seem to be manageable, or if the premium is attractive to insurers. Where the risks are significant or representations in the contract open the possibility of responsibility for large losses, the R&W carriers are likely to seek to limit their responsibility for cyber exposures. Buyers for R&W cover should beware of carriers adding specific exclusions for statutes such as GDPR, the EU privacy legislation.
R&W insurers may require the Buyer to purchase and maintain cyber cover for a set number of years post-closing of the transaction, a requirement that we are seeing in more and more transactions. The R&W carriers will then sit above the cyber coverage but may further limit their exposure to the coverage that is provided in the cyber policy.
Whether cyber gets flagged as a risk in the reps and warranties process depends on the type of target and their specific business. Even if a deal has a very short turnaround and the insurance markets are asked to push it through to the close date as quickly as possible, we see the representations and warranty carriers and due diligence by firms being extremely thorough. If there is a risk to be aware of, it will be fleshed out in the underwriting process.
If the target company is being transparent, would your next action be to do a thorough evaluation?
LUKE: At a minimum, you want the Seller to be sharing their own test results with you. And ideally, they have their own third-party penetration test and other technical tests, but of course, the devil is in the details in how you designed the test. And so, increasingly Buyers will be asking Sellers for the ability to have their own third-party trusted expert like KPMG do that technical testing and evaluate the results.
And it needs to be a careful protocol worked out in terms of access to what’s necessary, but not access to customer content, for example. There are careful protocols worked out for this type of hands on testing that is for the benefit of the Buyer. And the Seller’s rightfully nervous that they may learn something about their network that they did not know, that now paints them with knowledge as to other perspective Buyers.
How “hands on” can the acquiring entity be during the deal?
LUKE: In general, you can work with the Buyer to preserve the assets, but you cannot take over their operations before closing. What’s good is if you’ve done good diligence, you then come out of the closing with a sprint to take care of the priority issues.
What is the greater concern for the acquiring entity, the first party exposures from poor cyber controls or related third party, industry fines (PCI) or government fines?
CHRIS: Buyers and Sellers should want to audit their respective insurance programs of both companies and be ready to align insurance with cyber exposures to make sure there are no gaps in coverage. The best companies go through a checklist of exposures in order to make sure that they have considered what can be insured and then make a conscious decision on transferring the risk or not. Where insured exposures are being handed from one insurance program to another, companies need to make sure programs are aligned.
How do Directors and Officers (D&O) and R&W insurance work together?
CHRIS: Lawsuits against directors and officers have come about in mergers and acquisitions as a result of cyber issues. Those involved in transactions should make sure firstly that their D&O liability program is sufficient to protect individuals in the event there is a suit after a cyber issue. Directors and officers can make themselves aware of cyber issues from advice from law firms such as Debevoise, and advisors such as Blackberry Cylance and KPMG that can provide protection against cyber risk. The best solution is not to have a cyber event and avoid calling upon insurance programs.
Purchasing R&W and cyber coverage adds an additional layer of protection for directors, officers and corporations. If there is an issue, companies and their employees can point to another layer of protection that they put into place prior to the transaction if there is a cyber issue that arises. The advantage of being able to say that they anticipated the risk and financed it through insurance can have a considerable positive impact from a public relations standpoint in the crises stage after a breach.
What are your main watch areas post-close?
CHRIS: Many cyber events occur in the first few months after and event when changes in staff, and other integration is taking place. Keeping breach response vendors coordinated. Confirming controls the Seller said were in place are in place. Making sure that insurance carriers are aware of discovery of any issues with a view to the following renewal.
JIM: During the transaction or post deal period is where we are seeing the most growth in Cyber Due Diligence. Buyers are performing more in-depth dark net and threat intelligence due diligence. Tools and services are employed to search the dark net for information about the company’s executives, customers, vendors, Intellectual Property and other valuable information. Also scanning is performed to see if the target has any open ports or other vulnerabilities. It is important for the Buyer to know if the target is compromised and its assets are already available for sale on the dark net.
Bad actors are also known to pick up their attacks on target companies during this post deal period because they know both the Seller and the Buyer are focusing on the transaction and oftentimes neglect their overall cybersecurity. This is also a stressful time for the target company’s employees who are uncertain about their future employment and are prone to making mistakes and even attempting to copy or otherwise misappropriate the company’s intellectual property. For these reasons the Buyer should step up its threat intelligence investigation of the company to monitor and investigate any new activity it sees about the target.
LUKE: Our role is usually to carry through on updating any risk assessments that the client wants to do or is required to do, so we now take into account the new pieces that have been added both personnel and systems, data and so forth. And we work to move the compliance pieces up to date and current with the acquisition.
If issues arise, then we are then well-positioned to advise the client because we have the whole context of having studied the target, knowing our own client, and being able to spot potential seams or gaps in the integration. And we will typically work with the technical teams to help with that process. It’s got both controls aspects and compliance aspects, legal aspects, and our team is quite technical for being lawyers, but our primary job is on the legal issues.
One article cited that 40% of cyber-related problems are discovered post-M&A. Does that sound right?
LUKE: Maybe a bit high but not outrageously so, Very troubling if it’s true.
How should the acquirer work with Insurance policies of both companies to maximize protection post close?
CHRIS: The liability where a breach occurs prior to the closing of a transaction, but the claims comes to light after the transaction can be dealt with in two ways under a cyber policy. The policy purchased by the selling company can be extended. Alternatively, the purchasing company can amend or purchase a cyber policy to cover the purchased company.
If they choose the later, the insurance should be amended to cover the selling company’s “prior acts.” Depending upon the risk, underwriters may ask for information on the transaction and the company being purchased by endorsement, which may cost an additional amount if the company is large or high risk. For the most complex transactions with the highest risks, we have placed a separate cyber-insurance program for the purchased company. This type of structure allows the purchasing company to not have its program be impacted by the purchased entity while the purchaser has an opportunity to assess systems and the cyber exposures at the new entity with full access to their technology.
For smaller transactions, the buyer’s cyber policy should have an acquisition threshold that allows for target companies to be added to existing coverage at no extra charge. These provisions allow purchasing companies to add cyber cover based upon a percentage of the revenue of the purchaser company which can go as high as 25%.
For large companies, these clauses should allow immediate coverage for purchased companies for at least 90 days and allow negotiation of revised insurance terms. A cyber broker should negotiate these clauses into a program prior to the transaction. If there are systems breaches which might have taken place prior to the company being purchased which have not been discovered, they could represent an exposure to the purchasing company which can be insured in a cyber policy, but only with specific amendments.
Is there a window of time for things to be taken care of that you set in the purchase and sale agreement?
Unfortunately, there are still instance where the Buyer is not allowed to perform adequate Cyber Due Diligence in the pre-deal and post-deal phases of the transaction. In these cases, it’s critical for the Buyer to begin assessing the overall cybersecurity of the newly acquired organization as soon as possible after closing. Then the Buyer needs to begin remediating the high-risk cybersecurity issues identified during the Cyber Due Diligence and post-closing investigation of the target company.
We are seeing positive trends in the market where our clients are beginning to insist on more robust Cyber Due Diligence and following up after the closing of the transaction to address identified cybersecurity issues. We are also seeing more PE Firm clients start to complete cybersecurity valuations of their existing portfolio companies to ensure they are protecting the value of their investment.
CHRIS: If we are placing either the Cyber or Reps & Warranties policies, or both, we remain involved as the broker for purposes of continuing to service the policy, manage and advocate regarding any claims that may arise and continue our ongoing relationship with the insured.
In large transactions, keeping underwriters informed, integration of systems and the status of IT protections at the purchased company is critical to keeping cyber insurance cover in place and preventing any restrictions on terms for activities of the purchased company. Setting up underwriting meetings for communicating this type of information is critical to keeping strong relationships with insurance carriers and preventing issues in the claims process should any occur.
This is Part Two of a two-part series. Read Part 1 of this Interview here.
About our Experts
Luke Dembosky is a cybersecurity and litigation partner at Debevoise & Plimpton, based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Cybersecurity & Data Privacy practice and a member of the White Collar & Regulatory Defense Group. Read Luke’s full bio here.
Jim is a principal in KPMG LLP’s Cyber Services group and helps lead KPMG’s Cyber Response practice and the Cyber Insurance Channel. Jim has over 30 years of practical business and legal experience, including over 20 years of private practice, in-house legal, forensic, and cyber consulting experience. Read Jim’s full bio here.
Chris Keegan is the Senior Managing Director at Beecher Carlson. Jim is skilled in Privacy Law, Enterprise Risk Management, Insurance Law, and Financial Risk. He is an experienced business development professional with a JD focused in Law from Saint John's University School of Law. Read Chris’s full bio here.